Fail-safe system and technique



Sept. 17, 1957 W. G. ROWELL FAIL-SAFE SYSTEM AND TECHNIQUE Filed y s, 1956 /2 LOAD SUPPRESSION DEVICE coNDITIoN SYSTEM RESFONSIVE 7 6 8 J. RYI SENSOR T0 1 1 SENSOR SIGNAL T 9 l/ T I [5 I "a L FIG.|

2} 4 7 6 a! CONDITION |NDEPENDENT SYSTEM RESPON l LOAD 9 SENSOR sleNALMODIFIER SIVE T0 SENSOR SUPPRESSION LOAD I I S'GNAL DEVICE LOADS (12 RY2 T INVENTOR. WILLIAM G- ROWELL A TTOR/Vm United States Patent FAIL-SAFE SYSTEM AND TECHNIQUE William G. Rowell, Quincy, Mass., assignor to Scully Signal Company, Melrose, Mass., a corporation of Massachusetts Application May 8, 1956, Serial No. 583,568

Claims. (Cl. 340-213) The present invention relates to electrical systems and, more particularly, to fail-safe electrical circuits in which a load can not be falsely operated through failure of any of the components of the circuits.

In copending application Serial No. 375,224, entitled Checking Method and System, and filed August 19, 1953, now Patent No. 2,798,213, systems and techniques for producing the fail-safe operation of electrical, electronic, mechanical and electro-mechanical systems are set forth. Some of these systems and techniques are described, also, in an article entitled Fail-safe gets new meaning, by William G. Rowell and A. B. Van Rennes, appearing on pages 79 through 81 of Control Engineering, March 1956, and in an article entitled Fail-safe monitoring, by William G. Rowell, appearing on pages 28 through 31 of Electronic Design, March 1, 1956. In the output of such systems, there is usually provided a switching apparatus that recurrently operates to maintain a slowly responding load, which may assume the form of a slowly acting output or load relay, in either an energized or de-energized state, so long as the switching operation in the output continues. Failure of any of the electrical or other components in the system would produce improper operation of the output switching apparatus, and, in turn, would result in de-energizing or energizing the output or load relay, indicating a failure in the system.

An object of the present invention is to provide a new and improved switching apparatus of the above-described character that is particularly adapted for operation in the fail-safe systems above-described.

A further object is to provide a more generally usable electrical switching apparatus that is adapted for recurrent operation and that, through such operation, controls the ultimate response of an electrical load and insures that any failure in the switching apparatus or the associated circuitry will not result in falsely holding the load energized or de-energized, whichever condition it is normally desired to maintain. The term fail-safe as used in the specification and claims is intended to connote that integrity failure of any of the components involved in the circuits will not result in false operation of the ultimate output load.

'An additional object of the present invention is to provide a new and improved technique of fail-safe operation that is adapted for practice with a wide variety of different types of apparatus including electrical, electronic, mechanical and electro-mechanical devices. I

Still an additional object is to provide a new and improved system of the character described which embodies presently available conventional inexpensive components, and does not necessitate the utilization of specialized electrical components.

A further object is to provide such a switching apparatus that is particularly adapted'for use in installations where the terminal power supply is alternating current.

While various proposals have heretofore been made for providing switching systems that recurrently operate to store energy and then to deliver-energy to an output 2,807,009 Patented Sept. 17, 1957 load, many such systems, with the exception of some of those described in the said copending application and the above-mentioned articles, are subject to the difliculty that the associated electrical switching contacts may become shorted, fused together or otherwise damaged, and other similar circuit failures may take place such that the ultimate load may become falsely operated. Some prior-art devices of this character embody load relays that must be of special construction, such as those of the polar type having special means whereby the relay is slow-acting in the release direction only. Such devices require mechanical dash-pot arrangements and the like in order to obtain the essential slow action in one direction only, which add to the complexity and cost of the device.

In accordance with the present invention, on the other hand, simple conventional electrical components may be utilized to obtain complete fail-safe operation irrespective of short-circuited or fused-together parts, or other damage or failure in the system. In summary, the technique and system underlying the present invention provides for switching means that is adapted to occupy alternate positions and that is repetitively operated at a predetermined repetition rate or rates repetitively to alternate between these positions. Means is provided for supplying alternating-current potential. Means for converting the alternating-current potential to direct-current potential and potential-storing means are also provided. An electric circuit operates when the switching means occupies one of its positions to connect together the supplying means, the converting means and the storing means to store direct-current potential in the storing means. A slow-response direct-current-operated load is provided that is adapted to respond after the elapse of a period of time greater than the period or periods of the said repetition rate or rates. A further electric circuit operates when the switching means occupies the alternate position to shunt the converting means and simultaneously to connect the potential-storing means to the load. Preferred constructional details are hereinafter disclosed.

The invention will now be explained in connection with the accompanying drawings, Fig. 1 of which is a block diagram of a system embodying the present invention as a preferred output component thereof;

Fig. 2 is a block diagram of a modification; and

Fig. 3 is a circuit diagram of the invention in preferred form.

Referring, first, to Fig. l, a system is therein disclosed in which an element 2, labelled Condition Sensor, is provided for detecting any signal, event or condition that it is desired to monitor or receive and for passing an electrical signal indication thereof to a system 4, labelled System Responsive to Sensor Signal." The condition sensor 2 may comprise any kind of detecting device, such as, for example, a light-sensing element, a radiation-sensing element, a sound-sensing element, a heat-sensing element, an electro-mechanical transducer, 21 forceor pressure-sensing element, a currentor voltage-sensing ele ment, or any other type of monitoring or receiving device, as explained in said application and the said articles.

The system 4 may be any kind of receiving, amplifying or transmission system and the like.

the principal signal through the system 4 between its' input and output. Connected with the output conductor 7 is a load-suppression device 6 indicated schematically The connection from the condition sensor or detector 2 to the left-hand side or' as comprising a relay RY1, the armature of which, indicated by the vertical dotted line 11, controls not only the before-mentioned switch 3, but, also, a further switch generally represented by the numeral 15. The switch 15 is schematically illustrated as adapted either to make or break connection with a further conductor 9 that connects to an ultimate output termination 8, labelled Load. This schematic representation is intended to indicate that when the relay RY1 is, for example, energized, the switch 15 may connect with conductor 9 and normally energize the load 8. When, however, the relay RY1 is tie-energized, the switch 15 may disconnect from the conductor 9. It is to be understood, of course, that the converse condition of normally maintaining the load 8 de-energized and then energizing the same way, if desired, be employed. Continuing with the assumption of normal energization of the load 8 upon energization of the relay RY1, the advent of the principal signal in the output conductor 7, resulting in the energizing of the coil of the relay RY1, also causes the relay armature 11 to open the switch 3. This opens the connection between the conductors 1 and and thus the connection between the condition sensor 2 and the system 4. Such a break in the input circuit results in modifying, modulating or chopping the principal signal in the input to the system 4 so that the principal signal no longer appears in the output conductor 7. The relay RY1 accordingly becomes thereupon deenergized and its armature again closes the switch 3 thus to restore the feeding of the principal signal to the input of the system 4 from the condition sensor 2- by way of the conductor 1, the closed switch 3 and the conductor 5. This feed-back or reaction from the output to the input of the system 4 is thus caused to occur periodically at a predetermined repetition rate or rates, providing, in etlect, a chopping checking signal which accompanies the principal signal flowing through the system 4 between its input and output. So long as this oscillating reactive efiect between output and input takes places, the relay RY1 will continue to recover the checking signal at the said repetition rate or rates and continue to modify the principal signal at that rate or rates. The system 4 will thus be maintained in periodic checking operation. multaneously therewith, the switch will periodically connect to the conductor 9 and disconnect therefrom, thus, as explained in the said application and articles, and as hereinafter more fully explained, periodically feeding energy to keep the ultimate output load 8 energized. The load 8 is a slowly responsive device that is adapted to respond only in a period of time greater than the said repetition rate or rates of the before-mentioned signal modification, so that only in the event of the loss of the checking signal or chopping modification, will the load 8 respond to produce an indication of failure in the system.

It is not necessary, though it is preferred for purposes of simplicity and economy, that the feed-back control of Fig. 1 be utilized. As explained in the previously mentioned application and articles, the checking signal may be introduced by means of an independent signal moditier 3', Fig. 2, placed, for example, between the condition sensor 2 and the input of the system 4. Again, however, the recovery of the checking signal in the output loadsuppression device 6, will maintain the load 8 energized so long as the checking signal, produced by the independent signal modifier 3', accompanies the principal signal to the output of the system 4. If desired, moreover, the signal reaching the condition sensor 2 may already be provided with a checking-signal modification.

In Fig. 3, a preferred type of load-suppression device 6 is illustrated, comprising the relay RY1 for receiving the periodically modified principal signal by means of the conductor 7. The switch 15 of Fig. 3 is more specifically defined than in the schematic showing of Fig. 1, comprising two switch members 15a and 15b synchronously operated by the movement of the armature 11. Restoring springs 13 and 25 normally hold the respective switch members 15a and 15b in the illustrated position, in engagement with respective contacts A and E. When the armature 11 moves downward in response to energization of the relay RY1, it pivots the switches 15a and 15b downward about the pivot contact points B and D to a lower position of operation. The switch member 15a then makes electrical contact between the pivot point B and the switch contact C. This serves to connect into electrical circuit a terminal 17, a limiting impedance, illustrated as a resistor R, a storing capacitor C1, a rectifier S, the pivot point B, the switch member 1.5a, the switch contact C and a further terminal 19. Alternatingcurrent voltage A. C. is supplied to the terminals 17 and 19 so that the capacitor C1 charges or stores direct-current potential converted by the rectifier S from the alternating-current potential applied at the terminals 17 and 19. At the same time, the switch 15b is disconnected from the contact E and the switch 3 disconnects the conductors 1 and 5 to chop the principal signal at the input. The relay RY1 thus becomes de-energized so that the restoring springs 13 and 25 return the switch members 15a and 15b to their illustrated upper position. In such upper position, the switch 15a connects the pivot contact point B to the switch contact A, thus shunting the rectifier S. The switch 15b, on the other hand, connects the pivot contact point D to the switch contact E, as shown, and provides a connection by means of which the capacitor C1 may feed-out or deliver its stored direct-current potential to the load 8. The load 8, in turn, is illustrated as a slow-release direct-current-operated relay RY2, designed to provide a high impedance to alternating-current energy, as is customary with conventional direct-current relays. The circuit for this delivery, during the time that the switches 15a and 15b occupy the illustrated upper position, is traceable from the left-hand side of the capacitor C1 through the resistor R, the contact the switch member 15b, and the pivot point D, to the lower terminal of the load relay RY2, and thence from the upper terminal thereof through the pivot point B, the switch member 15a, and the contact A, back to the right-hand side of the capacitor C1. The ultimate load relay RY2 is shunted by a conventional holding capacitor C2.

Since, as before stated, the relay RY1 is periodically energized and de-energized at the repetition rate or rates of the checking signal before-referred to, the switching members 15a and 15b are alternately operated at the said rate or rates, thus alternately to store energy in the condenser Cl through the rectifier S from the alternatingcurrent means 17, 19, and thence to shunt the rectifier S and to deliver the stored energy to the slow-response load relay RY2. The response of the direct-current relay RY2 is adjusted to permit, for example, a release response after the lapse of a period of time greater than the period or periods of the before-mentioned repetition rate or rates. So long as the switch members 1511 and 15b are recurrently operated at the stated rate or rates, the load relay RY2 will remain efiectively energized. The frequency, of course, may be determined by the values of C1, C2, and the resistance of the load-relay coil RY2 with the applied voltage.

It will be evident that the system of Fig. 3 is completely fail-safe, in that the load 8, no matter what form it may assume, will not be falsely energized if the integrity of any of the components of the circuit is lost. As an illustration, if there were lack of contact continuity between the switch members 15a and 15b and any of the contacts A, C or E, the load RY2 could not be falsely operated. Dirt accumulating upon, or pitting of, the contacts, therefore, such that continuity does not exist, will not result in false operation of the load 8. Similarly, the .open-circuiting of any of the components can not result in the false operation of the load relay RY2. The shorting of components other than the switch contacts also can not cause false operation. If, however, either the rectifier S or the condenser C1 were to become shortcircuited, this condition could result in the destruction of one or the other of these components when the switch member a connects with the contact C, but it will not result in false operation of the load 8. By similar token, shorted switching contacts, during the recurrent operation of the system, will not result in false operation of the load. If, for example, any of contacts A and B, contacts A and C, contacts A and -D, contacts A and E, contacts B and C, contacts B and D, contacts B and E, contacts C and D, contacts C and E, or contacts D and E were shorted, there could be no false operation of the load relay RY2. In the event of the shorting of contacts A and C or contacts B and C, the condenser C1 might be destroyed. In the event of the shorting of contacts A and E, the rectifier S might be destroyed when contacts B and C are connected together. The shorting of contacts B and E might result in contacts C and B being destroyed when they are connected across the voltage supply. Similarly, the shorting of contacts C and D might result in the destruction of contacts D and E as they, in turn, become connected across the voltage supply. By similar token, when contacts D and E are shorted, the connecting of contacts B and C may result in the destruction of the condenser C2 as it is thereupon connected across the voltage supply.

In all cases, however, the important result is attained that the circuit will not falsely indicate, through false operation of the ultimate load 8, that there is integrity in the circuit when such is not the case. True fail-safe operation is thus achieved. If it were desired to prevent destruction of components, .as'a'bove mentioned, fuses may be placed in the circuit to accomplish this end. In experimental tests with the circuit of Fig. 3, moreover, it has been determined that in cases where short-circuits are intermittently applied, and none of the components actually fail, the load relay RY2 will function normally upon removal of the short-circuit. If it were desired to prevent the apparatus that may be controlled ultimately by the load relay RY2 from becoming re-operated once the load relay RY2 has become de-energized, even though it subsequently again becomes energized, locking circuits, well known in the art, may be utilized.

:It is to be understood that the ultimate load 8 may assume other forms than the relay RY2, as explained in the said application and the said articles. It may, for example, comprise an indicating or a controlling apparatus, or it may comprise a meter or any other suitable type of direct-current load. The load relay RY2, moreover, may itself have contacts not shown, as discussed in the said articles and in the said application, which, in turn, can operate to control further apparatus. In such event, the previously mentioned locking circuits may be of considerable utility.

While the invention has been described in connection with its important application to the fail-safe systems of Figs. 1 and 2, it being understood that the additional switch 3 of Figs. 1 and 3 need not be employed when the circuit 6 of Fig. 3 is applied in the system of Fig. 2, the invention is of broader utility in any applications where periodic or switched feeding of a load is desired. The conductor 7 feeding the relay RY1 may therefore comprise any kind of recurrent signal source for periodically energizing the relay RYl. In addition, the invention is by no means restricted to operation with an electromagnetic relay. Switches 15a and 15b may, for example, be entirely mechanically operated through a me chanical timer device and the like. The techniques underlying the present invention, accordingly, are completely adaptable for use with purely mechanical vibrating systems, as well as the electrical systems before referred to. Similarly, other types of electro-mechanical switching mechanisms may be employed to attain the fail-safe results achieved in accordance with the present invention.

Further modifications will occur to those skilled in the art and all such are considered to fall Within the spirit and scope of the invention as defined in the appended claims.

What is claimed is:

1. In an electrical system in which a principal signal modified by a repetitive checking signal having a predetermined rate or rates of repetition is transmitted from the input to the output of the system, an output circuit comprising switching means responsive to the recovery of the checking signal from the principal signal in the output and adapted repetitively to occupy alternate positions at the said repetition rate or rates, means for supplying alternating-current potential, means for converting alternating-current potential into direct-current potential, potential-storing means, an electric circuit operative when the switching means occupies one of its positions to connect together the supplying means, the converting means and the storing means to store directcurrent potential in the storing means, a slow-response direct-current-operated load adapted to respond after the elapse of a period greater than the period or periods of the said repetition rate or rates, and a further electric circuit operative when the switching means occupies the alternate position to shunt the converting means and simultaneously to connect the potential-storing means to the load.

2. In an electrical system in which a principal signal is transmitted from the input to the output of the system, an output circuit comprising switching means responsive to the reception of the principal signal in the output for alternately first reacting upon the principal signal in the input to modify the same and then responding to the resulting modification in the output to restore the principal signal at the input, thereby to produce a repetitive checking-signal modification of the principal signal at a predetermined rate or rates of repetition, the switching means occupying alternate positions during such operation, means for supplying alternating-current potential, means for converting alternating-current potential into direct-current potential, potential-storing means, an electric circuit operative when the switching means occupies one of its positions to connect together the supplying means, the converting means and the storing means to store direct-current potential in the storing means, a slowresponse direct-current-operated load adapted to respond after the elapse of a period greater than the period or periods of the said repetition rate or rates, and a further electric circuit operative when the switching means occupies the alternate position to shunt the converting means and simultaneously to connect the potential-storing means to the load.

3. In an electrical system in which a principal signal modified by a repetitive checking signal having a predetermined rate or rates of repetition is transmitted from the input to the output of the system, an output circuit comprising relay-controlled switching means responsive to the recovery of the checking signal from the principal signal in the output and adapted repetitively to occupy alternate positions at the said repetition rate or rates, means for supplying alternating-current potential, rectifying means, capacitor means, an electric circuit operative when the switching means occupies one of its positions to connect together the supplying means, the rectifying means and the capacitor means to store direct-current potential in the capacitor means, a direct-current-operated capacitor-shunted load relay adapted to respond after the elapse of a period greater than the period or periods of the said repetition rate or rates, and a further electric circuit operative when the switching means occupies the alternate position to shunt the rectifying means and simultaneously to connect the capacitor means to the capacitor-shunted load relay.

4. In an electrical system in which a principal signal is transmitted from the input to the output of the system, an output circuit comprising relay-controlled switching means responsive to the reception of the principal signal in the output for alternately first reacting upon the principal signal in the input to modify the same and then responding to the resulting modification in the output to restore the principal signal at the input, thereby to produce a repetitive checking-signal modification of the principal signal at a predetermined rate or rates of repetition, the switching means occupying alternate positions during such operation, means for supplying alternating-current potential, rectifying means, capacitor means, an electric circuit operative when the switching means occupies one of its positions to connect together the supplying means, the rectifying means and the capacitor means to store direct-current potential in the capacitor means, a directcurrent-operated capacitor-shunted load relay adapted to respond after the elapse of a period greater than the period or periods of the said repetition rate or rates, and a further electric circuit operative when the switching means occupies the alternate position to shunt the rectifying means and simultaneously to connect the capacitor means to the capacitor-shunted load relay.

5. An electrical system having, in combination, switching means adapted to occupy alternate positions, means for repetitively operating the switching means between its positions at a predetermined repetition rate or rates, means for supplying alternating-current potential, means for converting alternating-current potential to direct-current potential, potential-storing means, an electric circuit operative when the switching means occupies one of its positions to connect together the supplying means, the converting means and the storing means to store direct-current potential in the storing means, a slow-response directcurrent-operated load adapted to respond after the elapse of a period greater than the period or periods of the said repetition rate or rates, and a further electric circuit operative when the switching means occupies the alternate position to shunt the converting means and simultaneously to connect the potential-storing means to the load.

6. An electrical system having, in combination, switching means adapted repetitively to occupy alternate positions at a predetermined repetition rate or rates, means for supplying alternating-current potential, means for converting alternating-current potential to direct-current potential, potential-storing means, an electric circuit operative when the switching means occupies one of its positions to connect together the supplying means, the converting means and the storing means to store directcurrent potential in the storing means, a slow-response direct-current-operated load adapted to respond after the elapse of a period greater than the period or periods of the said repetition rate or rates, and a further electric circuit operative when the switching means occupies the alternate position to shunt the converting means and simultaneously to connect the potential-storing means to the load.

7. An electrical system having, in combination, relaycontrolled switching means adapted to occupy alternate positions, means for repetitively operating the relay-controlled switching means between its positions at a predetermined repetition rate or rates, means for supplying alternating-current potential, rectifying means, capacitor means, an electric circuit operative when the switching means occupies one of its positions to connect together the supplying means, the rectifying means and the capacitor means to store direct-current potential in the capacitor means, a direct-current-operated capacitor-shunted load relay adapted to respond after the elapse of a period greater than the period or periods of the said repetition rate or rates, and a further electric circuit operative when the switching means occupies the alternate position to shunt the rectifying means and simultaneously to connect the capacitor means to the capacitor-shunted load relay.

8. An electrical system having, in combination, relaycontrolled switching means adapted repetitively to occupy alternate positions at a predetermined repetition rate or rates, means for supplying alternating-current potential, rectifying means, capacitor means, an electric circuit operative when the switching means occupies one of its positions to connect together the supplying means, the rectifying means and the capacitor means to store directcurrent potential in the capacitor means, a direct-currentoperated capacitor-shunted load relay adapted to respond after the elapse of a period greater than the period or periods of the said repetition rate or rates, and a further electric circuit operative when the switching means occupies the alternate position to shunt the rectifying means and simultaneously to connect the capacitor means to the capacitor-shunted load relay.

9. A fail-safe system for preventing false effective energization of an electrical load through integrity failure of any of the components of the system having, in combination, voltage terminals adapted to be energized with alternating-current potential, rectifier means for converting said potential to direct-current potential when energized from the said voltage terminals, capacitor means associated with the said rectifier for storing the converted potential, switching means having multiple positions and adapted to be recurrently operated between these positions at a predetermined frequency, said switching means eing arranged in one of its positions to switch the said voltage terminals to the said rectifier means and capacitor means in order to permit the said capacitor means to store the converted potential, said switching means being further arranged in another of its positions to shunt the said rectifier means, and a slowly de-energizable load adapted to be responsive to direct-current potential only and arranged to be effectively energized from the said stored converted potential during the recurrent periods that the rectifier means is shunted.

10. A fail-safe system for preventing false effective energization of an electrical load through integrity failure of any of the components of the system having, in combination, voltage terminals adapted to be energized with alternating-current potential, rectifier means for converting said potential to direct-current potential when energized from the said voltage terminals, capacitor means associated with the said rectifier for storing the converted potential, relay-controlled switching means having multiple positions and adapted to be recurrently operated between these positions at a predetermined frequency, said switching means being arranged in one of its positions to switch the said voltage terminals to the said rectifier means and capacitor means in order to permit the said capacitor means to store the converted potential, said switching means being further arranged in another of its positions to incapacitate the said rectifier means, and a slowly de-energizable load relay adapted to be responsive to direct-current potential only and arranged to be effectively energized from the said stored converted potential during the recurrent periods that the rectifier means is incapacitated. 1

References Cited in the file of this patent UNITED STATES PATENTS 

